Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / frameworks / base / a7aededa7dafdeb1d15cad28e98eadba78b2c0bb / . / keystore / java / android / security / Credentials.java
blob: f53a7dc922f0da5c5c6a61027353b7f75528ecd2 [file] [log] [blame]
Chia-chi Yeh9b7a3f12009-09-18 12:00:12 +0800[diff] [blame]1/*
2 * Copyright (C) 2009 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17package android.security;
18
Artur Satayev53fe9662019-12-10 17:47:55 +0000[diff] [blame]19import android.compat.annotation.UnsupportedAppUsage;
Eran Messerid6ee4aa2019-09-10 17:23:48 +0100[diff] [blame]20
Brian Carlstrom0efca172012-09-04 23:01:07 -0700[diff] [blame]21import com.android.org.bouncycastle.util.io.pem.PemObject;
22import com.android.org.bouncycastle.util.io.pem.PemReader;
23import com.android.org.bouncycastle.util.io.pem.PemWriter;
Shawn Willden8d8c7472016-02-02 08:27:39 -0700[diff] [blame]24
Brian Carlstrom9d7faa92011-06-07 13:45:33 -0700[diff] [blame]25import java.io.ByteArrayInputStream;
26import java.io.ByteArrayOutputStream;
27import java.io.IOException;
28import java.io.InputStreamReader;
29import java.io.OutputStreamWriter;
30import java.io.Reader;
31import java.io.Writer;
Elliott Hughesd396a442013-06-28 16:24:48 -0700[diff] [blame]32import java.nio.charset.StandardCharsets;
Brian Carlstrom0efca172012-09-04 23:01:07 -0700[diff] [blame]33import java.security.cert.Certificate;
34import java.security.cert.CertificateEncodingException;
35import java.security.cert.CertificateException;
36import java.security.cert.CertificateFactory;
Kenny Root5423e682011-11-14 08:43:13 -0800[diff] [blame]37import java.security.cert.X509Certificate;
Brian Carlstrom9d7faa92011-06-07 13:45:33 -0700[diff] [blame]38import java.util.ArrayList;
39import java.util.List;
Chia-chi Yeh9b7a3f12009-09-18 12:00:12 +0800[diff] [blame]40
41/**
42 * {@hide}
43 */
44public class Credentials {
45 private static final String LOGTAG = "Credentials";
Chia-chi Yeh44039172009-09-21 11:53:59 +0800[diff] [blame]46
Chia-chi Yeh44039172009-09-21 11:53:59 +0800[diff] [blame]47 public static final String INSTALL_ACTION = "android.credentials.INSTALL";
48
Kenny Root3e7be432013-03-28 09:25:51 -0700[diff] [blame]49 public static final String INSTALL_AS_USER_ACTION = "android.credentials.INSTALL_AS_USER";
50
Chia-chi Yeh9b7a3f12009-09-18 12:00:12 +0800[diff] [blame]51 /** Key prefix for CA certificates. */
52 public static final String CA_CERTIFICATE = "CACERT_";
53
54 /** Key prefix for user certificates. */
55 public static final String USER_CERTIFICATE = "USRCERT_";
56
Janis Danisevskis64338c02017-04-19 09:17:17 -0700[diff] [blame]57 /** Key prefix for user private and secret keys. */
Chia-chi Yeh9b7a3f12009-09-18 12:00:12 +0800[diff] [blame]58 public static final String USER_PRIVATE_KEY = "USRPKEY_";
59
Janis Danisevskis64338c02017-04-19 09:17:17 -0700[diff] [blame]60 /** Key prefix for user secret keys.
61 * @deprecated use {@code USER_PRIVATE_KEY} for this category instead.
62 */
Alex Klyubinbaf28382015-03-26 14:46:55 -0700[diff] [blame]63 public static final String USER_SECRET_KEY = "USRSKEY_";
64
Chia-chi Yeh9b7a3f12009-09-18 12:00:12 +0800[diff] [blame]65 /** Key prefix for VPN. */
66 public static final String VPN = "VPN_";
67
Benedict Wong048e2482019-11-05 12:53:27 -0800[diff] [blame]68 /** Key prefix for platform VPNs. */
69 public static final String PLATFORM_VPN = "PLATFORM_VPN_";
70
Chia-chi Yeh9b7a3f12009-09-18 12:00:12 +0800[diff] [blame]71 /** Key prefix for WIFI. */
72 public static final String WIFI = "WIFI_";
73
Victor Hsiehde6cd472019-10-30 10:02:20 -0700[diff] [blame]74 /** Key prefix for App Source certificates. */
75 public static final String APP_SOURCE_CERTIFICATE = "FSV_";
76
Jeff Sharkey69ddab42012-08-25 00:05:46 -0700[diff] [blame]77 /** Key containing suffix of lockdown VPN profile. */
78 public static final String LOCKDOWN_VPN = "LOCKDOWN_VPN";
79
Alex Johnstonfde28692019-10-15 10:18:03 +0100[diff] [blame]80 /** Name of CA certificate usage. */
81 public static final String CERTIFICATE_USAGE_CA = "ca";
82
83 /** Name of User certificate usage. */
84 public static final String CERTIFICATE_USAGE_USER = "user";
85
86 /** Name of WIFI certificate usage. */
87 public static final String CERTIFICATE_USAGE_WIFI = "wifi";
88
Victor Hsiehde6cd472019-10-30 10:02:20 -0700[diff] [blame]89 /** Name of App Source certificate usage. */
90 public static final String CERTIFICATE_USAGE_APP_SOURCE = "appsrc";
91
Chia-chi Yeh9b7a3f12009-09-18 12:00:12 +0800[diff] [blame]92 /** Data type for public keys. */
Brian Carlstroma00a2b32011-06-29 10:42:35 -0700[diff] [blame]93 public static final String EXTRA_PUBLIC_KEY = "KEY";
Chia-chi Yeh9b7a3f12009-09-18 12:00:12 +0800[diff] [blame]94
95 /** Data type for private keys. */
Brian Carlstroma00a2b32011-06-29 10:42:35 -0700[diff] [blame]96 public static final String EXTRA_PRIVATE_KEY = "PKEY";
Chia-chi Yeh9b7a3f12009-09-18 12:00:12 +0800[diff] [blame]97
Brian Carlstrom67c30df2011-06-24 02:13:23 -0700[diff] [blame]98 // historically used by Android
99 public static final String EXTENSION_CRT = ".crt";
100 public static final String EXTENSION_P12 = ".p12";
101 // commonly used on Windows
102 public static final String EXTENSION_CER = ".cer";
103 public static final String EXTENSION_PFX = ".pfx";
104
Brian Carlstrom9d7faa92011-06-07 13:45:33 -0700[diff] [blame]105 /**
Kenny Root3e7be432013-03-28 09:25:51 -0700[diff] [blame]106 * Intent extra: install the certificate bundle as this UID instead of
107 * system.
108 */
109 public static final String EXTRA_INSTALL_AS_UID = "install_as_uid";
110
111 /**
Alex Johnstonfde28692019-10-15 10:18:03 +0100[diff] [blame]112 * Intent extra: type of the certificate to install
113 */
114 public static final String EXTRA_CERTIFICATE_USAGE = "certificate_install_usage";
115
116 /**
Eran Messerid6ee4aa2019-09-10 17:23:48 +0100[diff] [blame]117 * Intent extra: name for the user's key pair.
Kenny Root5423e682011-11-14 08:43:13 -0800[diff] [blame]118 */
Eran Messerid6ee4aa2019-09-10 17:23:48 +0100[diff] [blame]119 public static final String EXTRA_USER_KEY_ALIAS = "user_key_pair_name";
Kenny Root5423e682011-11-14 08:43:13 -0800[diff] [blame]120
121 /**
122 * Intent extra: data for the user's private key in PEM-encoded PKCS#8.
123 */
124 public static final String EXTRA_USER_PRIVATE_KEY_DATA = "user_private_key_data";
125
126 /**
Kenny Root5423e682011-11-14 08:43:13 -0800[diff] [blame]127 * Intent extra: data for the user's certificate in PEM-encoded X.509.
128 */
129 public static final String EXTRA_USER_CERTIFICATE_DATA = "user_certificate_data";
130
131 /**
Kenny Root5423e682011-11-14 08:43:13 -0800[diff] [blame]132 * Intent extra: data for CA certificate chain in PEM-encoded X.509.
133 */
134 public static final String EXTRA_CA_CERTIFICATES_DATA = "ca_certificates_data";
135
136 /**
Brian Carlstrom0efca172012-09-04 23:01:07 -0700[diff] [blame]137 * Convert objects to a PEM format which is used for
138 * CA_CERTIFICATE and USER_CERTIFICATE entries.
Brian Carlstrom9d7faa92011-06-07 13:45:33 -0700[diff] [blame]139 */
Andrei Onea4aa2a202019-02-27 14:22:05 +0000[diff] [blame]140 @UnsupportedAppUsage
Brian Carlstrom0efca172012-09-04 23:01:07 -0700[diff] [blame]141 public static byte[] convertToPem(Certificate... objects)
142 throws IOException, CertificateEncodingException {
Brian Carlstrom9d7faa92011-06-07 13:45:33 -0700[diff] [blame]143 ByteArrayOutputStream bao = new ByteArrayOutputStream();
Elliott Hughesd396a442013-06-28 16:24:48 -0700[diff] [blame]144 Writer writer = new OutputStreamWriter(bao, StandardCharsets.US_ASCII);
Brian Carlstrom0efca172012-09-04 23:01:07 -0700[diff] [blame]145 PemWriter pw = new PemWriter(writer);
146 for (Certificate o : objects) {
147 pw.writeObject(new PemObject("CERTIFICATE", o.getEncoded()));
Brian Carlstrom9d7faa92011-06-07 13:45:33 -0700[diff] [blame]148 }
149 pw.close();
150 return bao.toByteArray();
151 }
152 /**
153 * Convert objects from PEM format, which is used for
Brian Carlstrom0efca172012-09-04 23:01:07 -0700[diff] [blame]154 * CA_CERTIFICATE and USER_CERTIFICATE entries.
Brian Carlstrom9d7faa92011-06-07 13:45:33 -0700[diff] [blame]155 */
Brian Carlstrom0efca172012-09-04 23:01:07 -0700[diff] [blame]156 public static List<X509Certificate> convertFromPem(byte[] bytes)
157 throws IOException, CertificateException {
Brian Carlstrom9d7faa92011-06-07 13:45:33 -0700[diff] [blame]158 ByteArrayInputStream bai = new ByteArrayInputStream(bytes);
Elliott Hughesd396a442013-06-28 16:24:48 -0700[diff] [blame]159 Reader reader = new InputStreamReader(bai, StandardCharsets.US_ASCII);
Brian Carlstrom0efca172012-09-04 23:01:07 -0700[diff] [blame]160 PemReader pr = new PemReader(reader);
Brian Carlstrom9d7faa92011-06-07 13:45:33 -0700[diff] [blame]161
Shawn Willden8d8c7472016-02-02 08:27:39 -0700[diff] [blame]162 try {
163 CertificateFactory cf = CertificateFactory.getInstance("X509");
Brian Carlstrom0efca172012-09-04 23:01:07 -0700[diff] [blame]164
Shawn Willden8d8c7472016-02-02 08:27:39 -0700[diff] [blame]165 List<X509Certificate> result = new ArrayList<X509Certificate>();
166 PemObject o;
167 while ((o = pr.readPemObject()) != null) {
168 if (o.getType().equals("CERTIFICATE")) {
169 Certificate c = cf.generateCertificate(new ByteArrayInputStream(o.getContent()));
170 result.add((X509Certificate) c);
171 } else {
172 throw new IllegalArgumentException("Unknown type " + o.getType());
173 }
Brian Carlstrom0efca172012-09-04 23:01:07 -0700[diff] [blame]174 }
Shawn Willden8d8c7472016-02-02 08:27:39 -0700[diff] [blame]175 return result;
176 } finally {
177 pr.close();
Brian Carlstrom9d7faa92011-06-07 13:45:33 -0700[diff] [blame]178 }
Brian Carlstrom9d7faa92011-06-07 13:45:33 -0700[diff] [blame]179 }
180
Kenny Rootdb026712012-08-20 10:48:46 -0700[diff] [blame]181 /**
Robin Leee4487ea2016-02-29 17:43:54 +0000[diff] [blame]182 * Delete all types (private key, user certificate, CA certificate) for a
Kenny Rootdb026712012-08-20 10:48:46 -0700[diff] [blame]183 * particular {@code alias}. All three can exist for any given alias.
Robin Leee4487ea2016-02-29 17:43:54 +0000[diff] [blame]184 * Returns {@code true} if the alias no longer contains any types.
Kenny Rootdb026712012-08-20 10:48:46 -0700[diff] [blame]185 */
Alex Klyubindcdaf872015-05-13 15:57:09 -0700[diff] [blame]186 public static boolean deleteAllTypesForAlias(KeyStore keystore, String alias) {
Alex Klyubin3876b1b2015-09-09 14:55:03 -0700[diff] [blame]187 return deleteAllTypesForAlias(keystore, alias, KeyStore.UID_SELF);
188 }
189
190 /**
Robin Leee4487ea2016-02-29 17:43:54 +0000[diff] [blame]191 * Delete all types (private key, user certificate, CA certificate) for a
Alex Klyubin3876b1b2015-09-09 14:55:03 -0700[diff] [blame]192 * particular {@code alias}. All three can exist for any given alias.
Robin Leee4487ea2016-02-29 17:43:54 +0000[diff] [blame]193 * Returns {@code true} if the alias no longer contains any types.
Alex Klyubin3876b1b2015-09-09 14:55:03 -0700[diff] [blame]194 */
195 public static boolean deleteAllTypesForAlias(KeyStore keystore, String alias, int uid) {
Kenny Rootdb026712012-08-20 10:48:46 -0700[diff] [blame]196 /*
197 * Make sure every type is deleted. There can be all three types, so
198 * don't use a conditional here.
199 */
Janis Danisevskis64338c02017-04-19 09:17:17 -0700[diff] [blame]200 return deleteUserKeyTypeForAlias(keystore, alias, uid)
Robin Leee4487ea2016-02-29 17:43:54 +0000[diff] [blame]201 & deleteCertificateTypesForAlias(keystore, alias, uid);
Kenny Root802768d2012-08-21 15:23:35 -0700[diff] [blame]202 }
203
204 /**
Robin Leee4487ea2016-02-29 17:43:54 +0000[diff] [blame]205 * Delete certificate types (user certificate, CA certificate) for a
206 * particular {@code alias}. Both can exist for any given alias.
207 * Returns {@code true} if the alias no longer contains either type.
Kenny Root802768d2012-08-21 15:23:35 -0700[diff] [blame]208 */
Alex Klyubindcdaf872015-05-13 15:57:09 -0700[diff] [blame]209 public static boolean deleteCertificateTypesForAlias(KeyStore keystore, String alias) {
Alex Klyubin3876b1b2015-09-09 14:55:03 -0700[diff] [blame]210 return deleteCertificateTypesForAlias(keystore, alias, KeyStore.UID_SELF);
211 }
212
213 /**
Robin Leee4487ea2016-02-29 17:43:54 +0000[diff] [blame]214 * Delete certificate types (user certificate, CA certificate) for a
215 * particular {@code alias}. Both can exist for any given alias.
216 * Returns {@code true} if the alias no longer contains either type.
Alex Klyubin3876b1b2015-09-09 14:55:03 -0700[diff] [blame]217 */
218 public static boolean deleteCertificateTypesForAlias(KeyStore keystore, String alias, int uid) {
Kenny Root802768d2012-08-21 15:23:35 -0700[diff] [blame]219 /*
220 * Make sure every certificate type is deleted. There can be two types,
221 * so don't use a conditional here.
222 */
Alex Klyubin3876b1b2015-09-09 14:55:03 -0700[diff] [blame]223 return keystore.delete(Credentials.USER_CERTIFICATE + alias, uid)
Robin Leee4487ea2016-02-29 17:43:54 +0000[diff] [blame]224 & keystore.delete(Credentials.CA_CERTIFICATE + alias, uid);
Kenny Rootdb026712012-08-20 10:48:46 -0700[diff] [blame]225 }
Alex Klyubinbaf28382015-03-26 14:46:55 -0700[diff] [blame]226
227 /**
Janis Danisevskis64338c02017-04-19 09:17:17 -0700[diff] [blame]228 * Delete user key for a particular {@code alias}.
Robin Leee4487ea2016-02-29 17:43:54 +0000[diff] [blame]229 * Returns {@code true} if the entry no longer exists.
Alex Klyubinbaf28382015-03-26 14:46:55 -0700[diff] [blame]230 */
Janis Danisevskis64338c02017-04-19 09:17:17 -0700[diff] [blame]231 public static boolean deleteUserKeyTypeForAlias(KeyStore keystore, String alias) {
232 return deleteUserKeyTypeForAlias(keystore, alias, KeyStore.UID_SELF);
Alex Klyubin3876b1b2015-09-09 14:55:03 -0700[diff] [blame]233 }
234
235 /**
Janis Danisevskis64338c02017-04-19 09:17:17 -0700[diff] [blame]236 * Delete user key for a particular {@code alias}.
Robin Leee4487ea2016-02-29 17:43:54 +0000[diff] [blame]237 * Returns {@code true} if the entry no longer exists.
Alex Klyubin3876b1b2015-09-09 14:55:03 -0700[diff] [blame]238 */
Janis Danisevskis64338c02017-04-19 09:17:17 -0700[diff] [blame]239 public static boolean deleteUserKeyTypeForAlias(KeyStore keystore, String alias, int uid) {
Janis Danisevskis906147c2018-11-06 14:14:05 -0800[diff] [blame]240 int ret = keystore.delete2(Credentials.USER_PRIVATE_KEY + alias, uid);
241 if (ret == KeyStore.KEY_NOT_FOUND) {
242 return keystore.delete(Credentials.USER_SECRET_KEY + alias, uid);
243 }
244 return ret == KeyStore.NO_ERROR;
Alex Klyubinbaf28382015-03-26 14:46:55 -0700[diff] [blame]245 }
246
247 /**
Janis Danisevskis64338c02017-04-19 09:17:17 -0700[diff] [blame]248 * Delete legacy prefixed entry for a particular {@code alias}
Robin Leee4487ea2016-02-29 17:43:54 +0000[diff] [blame]249 * Returns {@code true} if the entry no longer exists.
Alex Klyubinbaf28382015-03-26 14:46:55 -0700[diff] [blame]250 */
Janis Danisevskis64338c02017-04-19 09:17:17 -0700[diff] [blame]251 public static boolean deleteLegacyKeyForAlias(KeyStore keystore, String alias, int uid) {
Alex Klyubin3876b1b2015-09-09 14:55:03 -0700[diff] [blame]252 return keystore.delete(Credentials.USER_SECRET_KEY + alias, uid);
Alex Klyubinbaf28382015-03-26 14:46:55 -0700[diff] [blame]253 }
Chia-chi Yeh9b7a3f12009-09-18 12:00:12 +0800[diff] [blame]254}